US11842350B2ActiveUtilityA1

Offline authentication

91
Assignee: VISA INT SERVICE ASSPriority: May 21, 2014Filed: Oct 13, 2020Granted: Dec 12, 2023
Est. expiryMay 21, 2034(~7.9 yrs left)· nominal 20-yr term from priority
G06Q 20/4015G06Q 20/3829H04L 9/3234H04L 9/3236H04L 9/3247H04L 9/3263H04L 63/0823H04W 12/065H04W 12/068H04W 12/069G06Q 2220/00H04L 9/3297H04L 63/126H04L 2209/56H04W 4/60H04W 12/10
91
PatentIndex Score
2
Cited by
1,152
References
16
Claims

Abstract

Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include using a limited-use key (LUK) to generate a transaction cryptogram, and using a signature key to generate a signature. The transaction can be an offline data authentication transaction, and access can be granted based on authentication of the signature prior to verifying the transaction cryptogram.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. An access device comprising:
 a processor; 
 a contactless interface transceiver to interact with a communication device; and 
 a memory coupled to the processor and storing code executable by the processor to perform operations including: 
 sending, to the communication device, terminal transaction data for a transaction, where the transaction is an offline transaction; 
 receiving, from the communication device, a certificate authority public key index, an issuer public key certificate, and a communication device public key certificate, where the certificate authority public key index identifies a certificate authority public key that authenticates the issuer public key certificate, the issuer public key certificate includes an issuer public key that authenticates the communication device public key certificate, and the communication device public key certificate includes a communication device public key; 
 receiving, from the communication device, a transaction cryptogram generated using a limited-use-key (LUK) as an encryption key to encrypt at least a plurality of data elements from the terminal transaction data, where the LUK is associated with a first set of one or more limited-use thresholds that limit usage of the LUK; 
 receiving, from the communication device, a signature generated using a signature key and at least a part of the terminal transaction data, where the signature key is associated with a second set of one or more limited-use thresholds that limit usage of the signature key, and the first set of one or more limited-use thresholds include a first limited-use threshold that is different than a second limited-use threshold included in the second set of one or more limited-use thresholds; 
 authenticating the communication device without requiring network activity by verifying the signature using the communication device public key; 
 in response to authenticating the communication device, granting access to a good or a service associated with the transaction prior to verifying the transaction cryptogram; and 
 after granting access to the good or the service, sending an authorization request message to an issuer to obtain authorization for the transaction from the issuer by verifying the transaction cryptogram with the issuer. 
 
     
     
       2. The access device of  claim 1 , wherein the operations further include:
 retrieving the certificate authority public key based on the certificate authority public key index; and 
 authenticating the issuer public key certificate using the certificate authority public key. 
 
     
     
       3. The access device of  claim 2 , wherein the operations further include:
 authenticating the communication device public key certificate using the issuer public key included in the issuer public key certificate. 
 
     
     
       4. The access device of  claim 2 , wherein the certificate authority public key is a first certificate authority public key, and wherein the operations further include:
 receiving, from a remote computer, a second certificate authority public key after the signature key has exceeded the second set of one or more limited-use thresholds. 
 
     
     
       5. The access device of  claim 1 , wherein the second set of one or more limited-use thresholds includes a time-to-live that indicates an amount of time for which the signature key is valid. 
     
     
       6. The access device of  claim 1 , wherein authenticating the signature includes:
 deciphering the signature using the communication device public key to obtain a hash value, and 
 comparing the hash value against an access device hash value computed by the access device. 
 
     
     
       7. The access device of  claim 1 , wherein the LUK is valid for more than one transaction. 
     
     
       8. The access device of  claim 1 , wherein the access device lacks network connectivity when the transaction is being conducted. 
     
     
       9. A method comprising:
 sending, by an access device, to a communication device, terminal transaction data for a transaction, where the transaction is an offline transaction; 
 receiving, by the access device, from the communication device, a certificate authority public key index, an issuer public key certificate, and a communication device public key certificate, where the certificate authority public key index identifies a certificate authority public key that authenticates the issuer public key certificate, the issuer public key certificate includes an issuer public key that authenticates the communication device public key certificate, and the communication device public key certificate includes a communication device public key; 
 receiving, by the access device, from the communication device, a transaction cryptogram generated using a limited-use-key (LUK) as an encryption key to encrypt at least a plurality of data elements from the terminal transaction data, where the LUK is associated with a first set of one or more limited-use thresholds that limit usage of the LUK; 
 receiving, by the access device, from the communication device, a signature generated using a signature key and at least a part of the terminal transaction data, where the signature key is associated with a second set of one or more limited-use thresholds that limit usage of the signature key, and the first set of one or more limited-use thresholds include a first limited-use threshold that is different than a second limited-use threshold included in the second set of one or more limited-use thresholds; 
 authenticating, by the access device, the communication device without requiring network activity by verifying the signature using the communication device public key; 
 in response to authenticating the communication device, granting, by the access device, access to a good or a service associated with the transaction prior to verifying the transaction cryptogram; and 
 after granting access to the good or the service, sending an authorization request message to an issuer to obtain authorization for the transaction from the issuer by verifying the transaction cryptogram with the issuer. 
 
     
     
       10. The method of  claim 9 , further comprising:
 retrieving, by the access device, the certificate authority public key based on the certificate authority public key index; and 
 authenticating, by the access device, the issuer public key certificate using the certificate authority public key. 
 
     
     
       11. The method of  claim 10 , further comprising:
 authenticating, by the access device, the communication device public key certificate using the issuer public key included in the issuer public key certificate. 
 
     
     
       12. The method of  claim 10 , wherein the certificate authority public key is a first certificate authority public key, and further comprising:
 receiving, by the access device, from a remote computer, a second certificate authority public key after the signature key has exceeded the second set of one or more limited-use thresholds. 
 
     
     
       13. The method of  claim 9 , wherein the second set of one or more limited-use thresholds includes a time-to-live that indicates an amount of time for which the signature key is valid. 
     
     
       14. The method of  claim 9 , wherein authenticating the signature includes:
 deciphering the signature using the communication device public key to obtain a hash value, and 
 comparing the hash value against an access device hash value computed by the access device. 
 
     
     
       15. The method of  claim 14 , wherein the communication device public key corresponds to the signature key, and wherein the access device hash value is computed over at least a portion of the terminal transaction data. 
     
     
       16. The method of  claim 9 , further comprising:
 receiving, by the access device, from the communication device, a token that is a substitute for an account identifier, the authorization request message including the token and the transaction cryptogram.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.